Recommended Baseline Audit Policy for Windows Server 2008

Expand / Collapse
 
     

Recommended Baseline Audit Policy for Windows Server 2008


If you enable too wide an audit policy you will be innundated with "noise" events. I recommend starting with this and tweaking from there. This policy turns off the worst offenders and other categories whose events aren't typically worth much.

Before using this recommendation make sure you review my article on auditpol and its related articles as well!

(Running all these commands at once also makes your hard drive emit a really cool sound pattern,too!)

auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable

auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable

auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable

auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable

auditpol /set /subcategory:"Other System Events" /success:disable /failure:enable

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

auditpol /set /subcategory:"Logoff" /success:enable /failure:enable

auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable

auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable

auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable

auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable

auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable

auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable

auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

auditpol /set /subcategory:"File System" /success:enable /failure:enable

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable

auditpol /set /subcategory:"SAM" /success:disable /failure:disable

auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable

auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable

auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable

auditpol /set /subcategory:"File Share" /success:enable /failure:enable

auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable

auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable

auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable

auditpol /set /subcategory:"Sensitive Privilege Use" /success:disable /failure:disable

auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable

auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable

auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable

auditpol /set /subcategory:"Process Termination" /success:enable /failure:enable

auditpol /set /subcategory:"DPAPI Activity" /success:disable /failure:disable

auditpol /set /subcategory:"RPC Events" /success:enable /failure:enable

auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable

auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable

auditpol /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable

auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable

auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable

auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:enable

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable

auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable

auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable

auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable

auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable

auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable

auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable

auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:disable

auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable

auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable

auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable

auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable

auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable

User Comments

Click to subscribe to comments RSS feed...

No Member Photo
View Members Profile...,Posted By by DiPersiaTech added Thursday, August 20, 2009


Randy -Just had a recommendation from Microsoft to disable success and failures for Kerberos Service Ticket ops, as we're getting 75 failures every five minutes on SBS 2008. Here's what they had to say: ----"According to the event, the Failure Code 0xe means "KDC has no support for encryption type". This error was caused by Kerberos Enhancements in Windows Server 2008. The base Kerberos protocol in Windows Server 2008 supports AES for encryption of ticket-granting tickets (TGTs), service tickets, and session keys.But old systems don't support this new encryption type. If there is no actual logon problem occurring in the domain, we can safely ignore this event. "---Googling around, this seems to make sense. But we wonder what other important events we'll miss. Our monitoring software is going haywire with the amount of events being sent by Kerberos. Thoughts?
Marked helpful 1 time based on 1 vote.
Helpful? YesYes NoNo

Member Photo
View Members Profile...,Posted By by RandyFranklinSmith... added Monday, August 24, 2009
Expert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition points


It sounds right but not a good situation. Illustrates why even the new, more granular audit policy in Win2008 doesn't do the job. Anyway, if you disable the "Kerberos Service Ticket Operations" subcategory you<br />- will NOT lose record of initial authentication - that's provided by the related "Kerberos Authentication Service" subcategory<br />- WILL lose record of which computers (workstations, member servers) the user subsequently accessed
Helpful? YesYes NoNo

No Member Photo
View Members Profile...,Posted By by michael c added Tuesday, October 27, 2009


I'm creating standard auditpol scripts for our environments--the above is fine for a domain, but for a standalone server, I'm disabling:<br /><br />/category:"DS Access"<br />/subcategory:"Kerberos Service Ticket Operations"<br />/subcategory:"Kerberos Authentication Service"<br /><br />My questions are:<br /><br />1. Is it worth it, performance-wise, to set these on the non-domain systems?<br />2. Are there any domain-only that I am carelessly omitting?<br /><br />mc
Marked helpful 0 times based on 1 vote.
Helpful? YesYes NoNo

Member Photo
View Members Profile...,Posted By by RandyFranklinSmith... added Tuesday, October 27, 2009
Expert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition points


Michael,<br />Disabling those categories on member servers won't hurt anything but it also won't eliminate any events since they don't produce any events on member servers anyway.
Helpful? YesYes NoNo

No Member Photo
View Members Profile...,Posted By by James added Tuesday, December 08, 2009


The Detailed File Share subcategory appears to be missing from your Recommended Baseline Audit Policy as well as your Windows Server 2008 Security Log Revealed. I presume you would recommend enabling auditing for this subcategory?
Helpful? YesYes NoNo

Member Photo
View Members Profile...,Posted By by RandyFranklinSmith... added Tuesday, February 16, 2010
Expert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition points


James, MS added the Detailed File Share subcategory in Win2008 R2 which came out after the book. We do need to add an article for it here. However I'm not impressed with the subcategory. It only logs one event but logs that one event a lot. See http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5145
Marked helpful 1 time based on 1 vote.
Helpful? YesYes NoNo

No Member Photo
View Members Profile...,Posted By by Tom Martin added Tuesday, July 13, 2010


Hello Randy,<br /><br />I had a question about your recommendation to disable auditing for IPSec Main Mode, IPSec Quick Mode and IPSec Extended Mode. We just built a secure environment by configuring IPSec on our 2008 R2 servers. My question is if I disable these IPSec auditing, will I not recieve any Events if we have IPSec security issues in our new enviroment?<br /><br />Thanks,<br />Tom
Helpful? YesYes NoNo

Member Photo
View Members Profile...,Posted By by RandyFranklinSmith... added Saturday, September 04, 2010
Expert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition points


Tom, Fair enough, if you are using Windows IPSec then you may want to enable these. Think about whether you want success or just failure.
Helpful? YesYes NoNo

No Member Photo
View Members Profile...,Posted By by Dr Tariq Javid added Thursday, November 25, 2010


Hi Randy. This information is indeed helpful. I need to know, if applicable to Windows 2008 R2 domain? Thanks in advance.
Helpful? YesYes NoNo

Member Photo
View Members Profile...,Posted By by RandyFranklinSmith... added Thursday, December 02, 2010
Expert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition points


Yes it is applicable to R2
Helpful? YesYes NoNo

No Member Photo
View Members Profile...,Posted By by Mark E Mark added Monday, December 06, 2010


Thanks for this Randy. The default settings for SBS08 were just worthless and unmanageable.
Helpful? YesYes NoNo

No Member Photo
View Members Profile...,Posted By by LogTech added Thursday, June 16, 2011


Randy,
I enjoy your site and visit it frequently. I came across a questions that I have not been able to get answered in relation to audit policy. I know that Event ID 4625 is associated with Successful lockouts in Windows 2008. However, what does windows track with the Account Lockout subcategory when Failures are enabled. I have never seen an account lockout failure and am not aware of any Event ID associated with this. Your recommendation above explains to enable this. Can you please advise on this. Thanks.

auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
Marked helpful 1 time based on 1 vote.
Helpful? YesYes NoNo

Member Photo
View Members Profile...,Posted By by RandyFranklinSmith... added Friday, June 17, 2011
Expert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition points


LogTech, you are right, there are no failed account lockouts. Many categories are like this - that is - having no failure events. So really there's no reason to enable it - perhaps i'll revise the policy but it really doesn't make a difference either way.
Marked helpful 1 time based on 1 vote.
Helpful? YesYes NoNo

No Member Photo
View Members Profile...,Posted By by Tom Martin added Saturday, June 18, 2011


Hi Randy,

If I remember correctly, you recommend disabling success and failure for all 9 categories and handle all auditing via the subcategories? Is this correct?

Thanks,
Tom
Marked helpful 0 times based on 1 vote.
Helpful? YesYes NoNo

Member Photo
View Members Profile...,Posted By by RandyFranklinSmith... added Wednesday, June 22, 2011
Expert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition points


Very close, Tom. Enable "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings". Now Windows Vista and later ignore your 9 audit policy settings and only looks at your subcategories.

http://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Audit-Force-audit-policy-subcategory-settings-Windows-Vista-or-later-to-override-audit-policy-catego
Helpful? YesYes NoNo

No Member Photo
View Members Profile...,Posted By by Sandy added Tuesday, October 18, 2011


Hi Randy,<br /><br />How can I supress audit log events for Windows service accounts only?<br /><br />Thanks,<br />Sandy
Marked helpful 1 time based on 1 vote.
Helpful? YesYes NoNo

Member Photo
View Members Profile...,Posted By by RandyFranklinSmith... added Monday, November 14, 2011
Expert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition pointsExpert with 126 recognition points


Sandy, there's no granular audit policy way of doing that unfortunately
Marked helpful 1 time based on 1 vote.
Helpful? YesYes NoNo

Add Your Comments


Name: *
Email Address:
Web Address:
Verification Code:
*
 

Details
Applies To: Vista, Windows Server 2008
Rated 3 stars based on 1 vote.
Article has been viewed 51,603 times.
Options